Role Assignments

The Role Assignments APIs allow you to assign custom roles, and designate third-party admin status, to users, groups and public client apps.

List all Assigned Roles of Group
OAuth 2.0: `okta.roles.read`

Lists all assigned roles of group identified by groupId

Request

path Parameters

groupId

required

string

The id of the group

Example: 00g1emaKYZTWRYYRRTSK

query Parameters

expand

string

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/groups/{groupId}/roles

Request samples

Response samples

200
403
404
429

application/json

[{"assignmentType": "GROUP",
"created": "2019-08-24T14:15:22Z",
"description": "string",
"id": "string",
"label": "string",
"lastUpdated": "2019-08-24T14:15:22Z",
"status": "ACTIVE",
"type": "API_ACCESS_MANAGEMENT_ADMIN",
"_embedded": {"property1": { },
"property2": { }
},
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"templated": true,
"type": "string"
}
}
}
]

Assign a Role to a Group
OAuth 2.0: `okta.roles.manage`

Assigns a role to a group

Request

path Parameters

groupId

required

string

The id of the group

Example: 00g1emaKYZTWRYYRRTSK

query Parameters

disableNotifications

boolean

Setting this to true grants the group third-party admin status

Request Body schema: application/json
required

type

string (RoleType)

Standard role type

Enum:	Description
API_ACCESS_MANAGEMENT_ADMIN	Access Management Administrator
API_ADMIN	Access Management Administrator
APP_ADMIN	Application Administrator
CUSTOM	Custom label specified by the client
GROUP_MEMBERSHIP_ADMIN	Group Membership Administrator
HELP_DESK_ADMIN	Help Desk Administrator
MOBILE_ADMIN	Mobile Administrator
ORG_ADMIN	Organizational Administrator
READ_ONLY_ADMIN	Read-Only Administrator
REPORT_ADMIN	Report Administrator
SUPER_ADMIN	Super Administrator
USER_ADMIN	Group Administrator

Responses

200

Success

201

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/groups/{groupId}/roles

Request samples

application/json

{"type": "API_ACCESS_MANAGEMENT_ADMIN"
}

Response samples

200
400
403
404
429

application/json

{"assignmentType": "GROUP",
"created": "2019-08-24T14:15:22Z",
"description": "string",
"id": "string",
"label": "string",
"lastUpdated": "2019-08-24T14:15:22Z",
"status": "ACTIVE",
"type": "API_ACCESS_MANAGEMENT_ADMIN",
"_embedded": {"property1": { },
"property2": { }
},
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"templated": true,
"type": "string"
}
}
}

Retrieve a Role assigned to Group
OAuth 2.0: `okta.roles.read`

Retrieves a role identified by roleId assigned to group identified by groupId

Request

path Parameters

groupId required	string The `id` of the group Example: 00g1emaKYZTWRYYRRTSK
roleId required	string `id` of the Role Example: 3Vg1Pjp3qzw4qcCK5EdO

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/groups/{groupId}/roles/{roleId}

Request samples

Response samples

200
403
404
429

application/json

{"assignmentType": "GROUP",
"created": "2019-08-24T14:15:22Z",
"description": "string",
"id": "string",
"label": "string",
"lastUpdated": "2019-08-24T14:15:22Z",
"status": "ACTIVE",
"type": "API_ACCESS_MANAGEMENT_ADMIN",
"_embedded": {"property1": { },
"property2": { }
},
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"templated": true,
"type": "string"
}
}
}

Unassign a Role from a Group
OAuth 2.0: `okta.roles.manage`

Unassigns a role identified by roleId assigned to group identified by groupId

Request

path Parameters

groupId required	string The `id` of the group Example: 00g1emaKYZTWRYYRRTSK
roleId required	string `id` of the Role Example: 3Vg1Pjp3qzw4qcCK5EdO

Responses

204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/groups/{groupId}/roles/{roleId}

Request samples

Response samples

403
404
429

application/json

{"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "sampleNUSD_8fdkFd8fs8SDBK",
"errorCauses": [ ]
}

List all Users with Role Assignments
OAuth 2.0: `okta.roles.read`

Lists all users with Role Assignments

Request

query Parameters

after	string
limit	integer <int32> Default: 100 Specifies the number of results returned. Defaults to `100`.

Responses

200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/iam/assignees/users

Request samples

Response samples

200
403
429

application/json

{"value": [{"id": "00u118oQYT4TBGuay0g4",
"orn": "orn:okta:00o5rb5mt2H3d1TJd0h7:users:00u118oQYT4TBGuay0g4",
"_links": {"self": {"href": "http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4"
},
"roles": {"href": "http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4/roles"
}
}
}
],
"_links": {"next": {"href": "http://your-subdomain.okta.com/api/v1/iam/assignees/users?after=00u118oQYT4TBGuay0g4&limit=1"
}
}
}

List all Roles assigned to a User
OAuth 2.0: `okta.roles.read`

Lists all roles assigned to a user identified by userId

Request

path Parameters

userId

required

string

ID of an existing Okta user

query Parameters

expand

string

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/users/{userId}/roles

Request samples

Response samples

200
403
404
429

application/json

[{"assignmentType": "GROUP",
"created": "2019-08-24T14:15:22Z",
"description": "string",
"id": "string",
"label": "string",
"lastUpdated": "2019-08-24T14:15:22Z",
"status": "ACTIVE",
"type": "API_ACCESS_MANAGEMENT_ADMIN",
"_embedded": {"property1": { },
"property2": { }
},
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"templated": true,
"type": "string"
}
}
}
]

Assign a Role to a User
OAuth 2.0: `okta.roles.manage`

Assigns a role to a user identified by userId

Request

path Parameters

userId

required

string

ID of an existing Okta user

query Parameters

disableNotifications

boolean

Setting this to true grants the user third-party admin status

Request Body schema: application/json
required

type

string (RoleType)

Standard role type

Enum:	Description
API_ACCESS_MANAGEMENT_ADMIN	Access Management Administrator
API_ADMIN	Access Management Administrator
APP_ADMIN	Application Administrator
CUSTOM	Custom label specified by the client
GROUP_MEMBERSHIP_ADMIN	Group Membership Administrator
HELP_DESK_ADMIN	Help Desk Administrator
MOBILE_ADMIN	Mobile Administrator
ORG_ADMIN	Organizational Administrator
READ_ONLY_ADMIN	Read-Only Administrator
REPORT_ADMIN	Report Administrator
SUPER_ADMIN	Super Administrator
USER_ADMIN	Group Administrator

Responses

201

Created

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/users/{userId}/roles

Request samples

application/json

{"type": "API_ACCESS_MANAGEMENT_ADMIN"
}

Response samples

201
400
403
404
429

application/json

{"assignmentType": "GROUP",
"created": "2019-08-24T14:15:22Z",
"description": "string",
"id": "string",
"label": "string",
"lastUpdated": "2019-08-24T14:15:22Z",
"status": "ACTIVE",
"type": "API_ACCESS_MANAGEMENT_ADMIN",
"_embedded": {"property1": { },
"property2": { }
},
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"templated": true,
"type": "string"
}
}
}

Retrieve a Role assigned to a User
OAuth 2.0: `okta.roles.read`

Retrieves a role identified by roleId assigned to a user identified by userId

Request

path Parameters

userId required	string ID of an existing Okta user
roleId required	string `id` of the Role Example: 3Vg1Pjp3qzw4qcCK5EdO

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/users/{userId}/roles/{roleId}

Request samples

Response samples

200
403
404
429

application/json

{"assignmentType": "GROUP",
"created": "2019-08-24T14:15:22Z",
"description": "string",
"id": "string",
"label": "string",
"lastUpdated": "2019-08-24T14:15:22Z",
"status": "ACTIVE",
"type": "API_ACCESS_MANAGEMENT_ADMIN",
"_embedded": {"property1": { },
"property2": { }
},
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"templated": true,
"type": "string"
}
}
}

Unassign a Role from a User
OAuth 2.0: `okta.roles.manage`

Unassigns a role identified by roleId from a user identified by userId

Request

path Parameters

userId required	string ID of an existing Okta user
roleId required	string `id` of the Role Example: 3Vg1Pjp3qzw4qcCK5EdO

Responses

204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/users/{userId}/roles/{roleId}

Request samples

Response samples

403
404
429

application/json

{"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "sampleNUSD_8fdkFd8fs8SDBK",
"errorCauses": [ ]
}

List all Roles for a Client
OAuth 2.0: `okta.roles.read`

Lists all Roles by clientId

Request

path Parameters

clientId

required

string

client_id of the app

Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/oauth2/v1/clients/{clientId}/roles

Request samples

Response samples

200
403
404
429

application/json

[{"id": "JBCUYUC7IRCVGS27IFCE2SKO",
"label": "Help Desk Administrator",
"type": "HELP_DESK_ADMIN",
"status": "ACTIVE",
"created": "2023-05-01T14:24:54.000Z",
"lastUpdated": "2023-05-01T14:24:54.000Z",
"assignmentType": "CLIENT",
"_links": {"assignee": {"href": "https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles"
}
}
},
{"id": "irb4ey26fpFI3vQ8y0g7",
"label": "view_minimal",
"type": "CUSTOM",
"status": "ACTIVE",
"created": "2023-05-01T15:16:47.000Z",
"lastUpdated": "2023-05-01T15:16:47.000Z",
"assignmentType": "CLIENT",
"resource-set": "iam4cxy6z7hhaZCSk0g7",
"role": "cr04cxy6yzSCtNciD0g7",
"_links": {"role": {"href": "https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7"
},
"resource-set": {"href": "https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7"
},
"permissions": {"href": "https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions"
},
"member": {"href": "https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7"
},
"assignee": {"href": "https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7"
}
}
}
]

Assign Role to Client
OAuth 2.0: `okta.roles.manage`

Assigns a Role to a Client

Request

path Parameters

clientId

required

string

client_id of the app

Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD

Request Body schema: application/json
required

One of:

type	string Standard role type

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

post/oauth2/v1/clients/{clientId}/roles

Request samples

application/json

{"type": "HELP_DESK_ADMIN,"
}

Response samples

200
403
404
429

application/json

{"id": "JBCUYUC7IRCVGS27IFCE2SKO",
"label": "Help Desk Administrator",
"type": "HELP_DESK_ADMIN",
"status": "ACTIVE",
"created": "2023-05-01T14:24:54.000Z",
"lastUpdated": "2023-05-01T14:24:54.000Z",
"assignmentType": "CLIENT",
"_links": {"assignee": {"href": "https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles"
}
}
}

Retrieve a Client Role
OAuth 2.0: `okta.roles.read`

Retrieves a Client Role

Request

path Parameters

clientId required	string `client_id` of the app Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
roleId required	string `id` of the Role Example: 3Vg1Pjp3qzw4qcCK5EdO

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/oauth2/v1/clients/{clientId}/roles/{roleId}

Request samples

Response samples

200
403
404
429

application/json

{"id": "JBCUYUC7IRCVGS27IFCE2SKO",
"label": "Help Desk Administrator",
"type": "HELP_DESK_ADMIN",
"status": "ACTIVE",
"created": "2023-05-01T14:24:54.000Z",
"lastUpdated": "2023-05-01T14:24:54.000Z",
"assignmentType": "CLIENT",
"_links": {"assignee": {"href": "https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles"
}
}
}

Unassign a Role from a Client
OAuth 2.0: `okta.roles.manage`

Unassigns a Role from a Client

Request

path Parameters

clientId required	string `client_id` of the app Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
roleId required	string `id` of the Role Example: 3Vg1Pjp3qzw4qcCK5EdO

Responses

204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/oauth2/v1/clients/{clientId}/roles/{roleId}

Request samples

Response samples

403
404
429

application/json

{"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "sampleNUSD_8fdkFd8fs8SDBK",
"errorCauses": [ ]
}

Role Assignments

List all Assigned Roles of GroupOAuth 2.0: okta.roles.read

path Parameters

query Parameters

Assign a Role to a GroupOAuth 2.0: okta.roles.manage

path Parameters

query Parameters

Request Body schema: application/jsonrequired

Retrieve a Role assigned to GroupOAuth 2.0: okta.roles.read

path Parameters

Unassign a Role from a GroupOAuth 2.0: okta.roles.manage

path Parameters

List all Users with Role AssignmentsOAuth 2.0: okta.roles.read

query Parameters

List all Roles assigned to a UserOAuth 2.0: okta.roles.read

path Parameters

query Parameters

Assign a Role to a UserOAuth 2.0: okta.roles.manage

path Parameters

query Parameters

Request Body schema: application/jsonrequired

Retrieve a Role assigned to a UserOAuth 2.0: okta.roles.read

path Parameters

Unassign a Role from a UserOAuth 2.0: okta.roles.manage

path Parameters

List all Roles for a ClientOAuth 2.0: okta.roles.read

path Parameters

Assign Role to ClientOAuth 2.0: okta.roles.manage

path Parameters

Request Body schema: application/jsonrequired

Retrieve a Client RoleOAuth 2.0: okta.roles.read

path Parameters

Unassign a Role from a ClientOAuth 2.0: okta.roles.manage

path Parameters

List all Assigned Roles of Group
OAuth 2.0: `okta.roles.read`

Assign a Role to a Group
OAuth 2.0: `okta.roles.manage`

Request Body schema: application/json
required

Retrieve a Role assigned to Group
OAuth 2.0: `okta.roles.read`

Unassign a Role from a Group
OAuth 2.0: `okta.roles.manage`

List all Users with Role Assignments
OAuth 2.0: `okta.roles.read`

List all Roles assigned to a User
OAuth 2.0: `okta.roles.read`

Assign a Role to a User
OAuth 2.0: `okta.roles.manage`

Request Body schema: application/json
required

Retrieve a Role assigned to a User
OAuth 2.0: `okta.roles.read`

Unassign a Role from a User
OAuth 2.0: `okta.roles.manage`

List all Roles for a Client
OAuth 2.0: `okta.roles.read`

Assign Role to Client
OAuth 2.0: `okta.roles.manage`

Request Body schema: application/json
required

Retrieve a Client Role
OAuth 2.0: `okta.roles.read`

Unassign a Role from a Client
OAuth 2.0: `okta.roles.manage`